You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Hi all. I'm at my wits end. I have a computer with the moneypak virus. Safemode, safemode with networking, and command prompt all reboot before I can reach the desktop. I tried all three options for hitman pro's kickstart. It seems to find the trojan (something to do with user32.dll) but after a reboot the virus just comes back. I also tried using a windows install cd but every time I start recovery console, it reboots the computer.

The system is running windows XP Pro. I'd really like not having to wipe and re-install if at all possible.

Greetings and to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.

A few points to cover before we start:

Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.

Make sure to read my instructions fully before attempting a step.

If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.

Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.

Important information in my posts will often be in bold, make sure to take note of these.

I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.

I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.

Note: Do not install to a folder with spaces in it's name. It is best to use the default name C:\UBCD4WinNote: Your Anti-Virus may report viruses or trojans when you extract UBCD4Win. These are False-Positives.
Read here for information regarding the files that normally trigger AV software.

At the very end, uncheck: Run UBCD4WinBuilder.exe when installation is complete

Click: Finish

2. Insert your XP CD with SP1/SP2/SP3 into a CD ROM drive

Open My Computer, and navigate to: C:\ubcd4win

Double-click on UBCD4WinBuilder.exe

Click I Agree to the UBCD4Win PE Builder License

Select No when prompted to Search for Windows installation files

For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, press OK

For Custom: no information is necessary, leave blank

For Output: keep the default BartPE

For Media output select Create ISO image: (enter filename)

Note: Leave the default file name and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso). If you change it make sure it is
a folder without spaces in the name.

Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

Click on each option, then click Enable/Disable so the correct value is displayed.

Hi Toffee. Last night before I went to bed (before i saw your reply, I ran Kasperky's rescue disk. It found a couple rouge dll files. Once I rebooted, the virus wasn't there. (or at least i can see my desktop now) Should i still run FRST at this point or is there another tool you would like me to run?

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).

When the tool opens, click Yes to disclaimer.

Press the Scan button.

When finished, it will produce a log called FRST.txt in the same directory the tool was run from.

Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise: